panGloss

A UK-based cyberlaw blog by Lilian Edwards. Specialising in online privacy and security law, cybercrime, online intermediary law (including eBay and Google law), e-commerce, digital property, filesharing and whatever captures my eye:-)
Based at The Law School of Strathclyde University . From January 2011, I will be Professor of E-Governance at Strathclyde University, and my email address will be lilian.edwards@strath.ac.uk .

Thursday, June 30, 2016

Im briefly reviving Pangloss to publicise something I think important that just came out as a broad hint from the Research briefing team at the House of Lords.

This just came out: http://researchbriefings.parliament.uk/ResearchBriefing/Summary/LLN-2016-0034

It contains the usual stuff about art 50 (no one knows if Parl has to agree or not, or if it falls with the PM's prerogative) but then..

"Parliament would have a statutory role in ratifying an eventual withdrawal agreement and any other international agreements arising from the negotiations if they were subject to the usual procedure for ratifying treaties. The House of Commons potentially has the power to block the ratification of a treaty indefinitely;the House of Lords does not. Under the terms of Article 50, the UK’s membership would cease two years after it gave formal notification of its intention to leave, if no withdrawal agreement had come into force by that point, although the two-year period could be extended on the unanimous agreement of all EU member states."

In other words, Gove (say) could call art 50, negotiate EEA or something else and then find Parl would not pass it.

The EU wouldn't care (or might not anyway - we'd be out) : but it would cause chaos here. Any attempts to stay in the Single market would fail.

This HAS to be a "golden rule" argt to interpret art 50 the Pannick way ie Parl having to say yes before an art 50 notification is given. If a provision interpreted literally does not make sense in UK law - as here, allowing the PM to start something which he would be incapable of finishing - then it has to be interpreted in a more purposive way.

ie in a way that respects existing law on division of power between Parl and PM. And then we re introduce Pannick's ev that there is a basic rule the preorgative should not be used to disempower established Parliamentary competence. Only this time it is non controversial as no one can argue Parl does NOT have the prior and established right to ratify a treaty even if PM has negotiated it.

Thursday, August 07, 2014

No they don’t, actually. Just the people who get to write in mass
media. Few people in Europe, and fewer still in the US, realise that a
surreptitious propaganda war is being fought around the simple idea that if personal
information has been distributed about you, which is erroneous, outdated,
incomplete or in some way unreasonably harms you, then you should have the right to have that
information rectified or take down. All that is new about the Google Spain decision is that it extends
this right from people or hosts who publish the data, to search engines that
link to it.

But this basic concept worries Google, a
lot. Partially because it might cost them money and reduce credibility in the integrity
of their database, but mostly on principle : because it implies that states and
courts – and worse still European states and courts – have a right
to have a say in regulating Google’s business activities. And the right to be forgotten also worries the
media, a lot : because they fear it might interfere with their freedom to write
lucrative stories hostile to the subject of the piece. (This fear is,
incidentally, misguided – see myth 2 below).

So if you honestly think the right to be
forgotten is a bad idea, then that is your (sic) right. But don’t believe the
hype.

2 Well, whoever’s pushing the opposition to
the right to be forgotten, it’s clearly a bad idea because it destroys free
speech.

No it doesn’t. The foundational idea of EC
data protection law – that you should have the right to control the processing
of data about yourself - has been uncontroversial in Europe since 1995, or earlier.Imagine that outdated bad debt information still
scars your credit record; or you posted a stupid picture of yourself drunk on Facebook when you were 13 and now it haunts
your applications for responsible jobs; or perhaps you shared an intimate
picture of yourself with your ex-boyfriend when you were young and in love and now
he has posted it on a revenge porn site.

Is it such an unreasonable idea to be able
to clear the slate in these circumstances? And is there really a compelling public
interest in ephemeral quotidian details about ordinary people, which in a pre-digital
world would have long faded into obscurity?

Of course there needs to be a balance with
the public interest, if such rights are not to become a whitewash for public
figures disguising their shady dealingsor bolstering their PR-created reputations. But this has never been doubted. The Google Spain decision very clearly reads
in an exception that if a data subject played a role in “public life”, then the “preponderant
interest of the general public” – their right to know – would win out. The draft
Data Protection Regulation, which would reform data protection law and put the
right to be forgotten on a clearer, statutory basis goes further, including extensive
reference to the need to balance both “freedom of expression” and the “historical,
statistical and scientific” record.

Finally, both existing and new law
recognise the rights of journalists to report on the public record by giving
them exemption from DP law almost entirely. Google argued it was a journalist
in the Google Spain case, and failed:
but for conventional media , the right to be forgotten is simply not a threat. (Arguably
it might even be good for it to incentivise journalists to investigate more
using professional skills, and rely on flaky Google and Wikipedia data less.)

One, it might be hypothesised that
Google are occasionally ignoring the
clear instructions of the court to take the public record into account, and sometimes allowing delinking when they
should have refused, so as to generate scare take down stories that discredit
the right to be forgotten. On this, like Francis Urquart in House of Cards, I couldn’t possibly comment.

Second, there is a popular
misconception that any Google takedown means the content disappears from the
Web. This again is a myth that needs shot. First, the content stays up on the original
page – only the link disappears. This is
obvious, though often ignored. But, secondly, and rather more subtly, only the link from the name of the person making
the take down request to the story that name appears in disappears.

So, in one of the much publicised Guardian stories allegedly removed by
Google, it turned out the person making the erasure request was not the public
figure the article was about (let’s say X), but an obscure person who’d been
named in comments (let’s call him/her Y). You say, but the article still disappears,
right? No. Only if you search on Y, will
the link not come up. A journalist searching on X (as is rather more likely) however would still find the information right
there. (And since I can find numerous stories about Adam Osborne’s Muslim wedding on page 1 of the Google results by searching
on “Adam Osborne Muslim”, including the
original 2011 Guardian story, it looks quite likely that’s what was going
on there.)

If you want to worry about
invisible censorship on the Internet, try looking at copyright rather than privacy
for a moment. Jimmy Wales says (as of 6 August 2014) that Google have received
over91,000 removal requests under
the right to be forgotten since 13 May 2014, when the Google Spain decision was delivered. In that time, Google will
probably have received 81 million
requests for URLs to be taken down on copyright grounds. Many of these are
known to be sometimes completely spurious, and while a few of these are
protested, most are completely unnoticed. Are
these not also part of our history?

But more fundamentally, what
exactly is this “right to remember”? Remember what? Do you have a right to remember
that I bit my brother when I was 8, and he broke my front tooth in revenge? I
am a law professor and he is a lawyer. This sentence may now be spidered by
Google. Is this banal anecdote therefore now part of the “public record” – the all-encompassing
true historical account Jimmy Wales defends so severely (I do after all have a
Wikipedia page) – or is it valueless
gossip that in a pre-Googlified world would have vanished outside of my
immediate family within days?

In Dave
Eggers The Circle, a satire that
is fast becoming fact, keeping any information to yourself is seen as so
selfish and so threatening that a sheer desire for solitude instead of being “live”
on the Internet becomes antisocial behaviour, with brief moments free of the omnipresent
public gaze snatched in toilet cubicles. In this world, “secrets
are lies”, “sharing is caring” and “privacy is theft”. Is this where we
want the “right to remember” to take us?

Tuesday, July 15, 2014

To all Members of Parliament,
Re: An open letter from UK internet law academic experts

On Thursday 10 July the Coalition Government (with support from
the Opposition) published draft emergency legislation, the Data Retention and
Investigatory Powers Bill (“DRIP”). The Bill was posited as doing no more than
extending the data retention powers already in force under the EU Data
Retention Directive, which was recently ruled incompatible with European human
rights law by the Grand Chamber of the Court of Justice of the European Union
(CJEU) in the joined cases brought by Digital Rights Ireland (C-293/12) and
Seitlinger and Others (C-594/12) handed down on 8 April 2014.

In introducing the Bill to Parliament, the Home Secretary framed
the legislation as a response to the CJEU’s decision on data retention, and as
essential to preserve current levels of access to communications data by law
enforcement and security services. The government has maintained that the Bill
does not contain new powers.

On our analysis, this position is false. In fact, the Bill
proposes to extend investigatory powers considerably, increasing the British
government’s capabilities to access both communications data and content. The
Bill will increase surveillance powers by authorising the government to;

·compel any person or
company – including internet services and telecommunications companies –
outside the United Kingdom to execute an interception warrant (Clause 4(2));

·compel persons or
companies outside the United Kingdom to execute an interception warrant
relating to conduct outside of the UK (Clause 4(2));

·compel any person or
company outside the UK to do anything, including complying with technical
requirements, to ensure that the person or company is able, on a continuing
basis, to assist the UK with interception at any time (Clause 4(6)).

·order any person or
company outside the United Kingdom to obtain, retain and disclose
communications data (Clause 4(8)); and

·order any person or
company outside the United Kingdom to obtain, retain and disclose communications
data relating to conduct outside the UK (Clause 4(8)).

The legislation goes far beyond simply authorising data
retention in the UK. In fact, DRIP attempts to extend the territorial reach of
the British interception powers, expanding the UK’s ability to mandate the
interception of communications content across the globe. It introduces powers
that are not only completely novel in the United Kingdom, they are some of the
first of their kind globally.

Moreover, since mass data retention by the UK falls within the
scope of EU law, as it entails a derogation from the EU's e-privacy Directive
(Article 15, Directive 2002/58), the proposed Bill arguably breaches EU law to
the extent that it falls within the scope of EU law, since such mass
surveillance would still fall foul of the criteria set out by the Court of
Justice of the EU in the Digital Rights and Seitlinger judgment.

Further, the bill incorporates a number of changes to
interception whilst the purported urgency relates only to the striking down of
the Data Retention Directive. Even if there was a real emergency relating to
data retention, there is no apparent reason for this haste to be extended to
the area of interception.

DRIP is far more than an administrative necessity; it is a
serious expansion of the British surveillance state. We urge the British
Government not to fast track this legislation and instead apply full and proper
parliamentary scrutiny to ensure Parliamentarians are not mislead as to what
powers this Bill truly contains.

Signed,

Dr Subhajit Basu, University of LeedsDr Paul Bernal,
University of East AngliaProfessor Ian Brown,
Oxford UniversityRay Corrigan, The Open
UniversityProfessor Lilian
Edwards, University of StrathclydeDr Theodore
Konstadinides, University of SurreyProfessor Chris Marsden,
University of SussexDr Karen Mc Cullagh,
University of East AngliaDr. Daithí Mac Síthigh,
Newcastle UniversityProfessor David Mead,
University of East AngliaProfessor Andrew Murray,
London School of EconomicsProfessor Steve Peers,
University of EssexJulia Powles, University
of CambridgeProfessor Burkhard
Schafer, University of EdinburghProfessor Lorna Woods,
University of Essex

Friday, May 30, 2014

Google has implemented the "right to be forgotten" imposed by Google Spain on 13 May 2014. At slightly over two weeks for a response, this puts most actual governments to shame :-) Having failed totally to comment on the original document due to overwork swamp, I'll say a few things about the response.

The form allows EU users to ask search engines to remove results for queries that include their name where those results are “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed.”.This is clearly narrower than the full scope of the right granted by the judgment.

" As regards Article 12(b) of Directive 95/46,
the application of which is subject to the condition that the processing
of personal data be incompatible with the directive, it should be
recalled that, as has been noted in paragraph 72 of the present
judgment, such incompatibility may result not onlyfrom the fact that
such data are inaccurate but, in particular, also from the fact that
they are inadequate, irrelevant or excessive in relation to the purposes
of the processing, that they are not kept up to date, or that they are
kept for longer than is necessary unless they are required to be kept
for historical, statistical or scientific purposes." [emphasis added][italics added][para 92]

Only the parts of the judgment in italics above have currently been implemented. Strange that the form does not specify "inaccuracy" as a ground which is clearly signposted by the judgment, though was not true in the actual case of Mr Costeja Gonzalez.

Art 12 (b) actually specifies that rectification, erasure or blocking can be obtained, inter alia, if data is "incomplete or inaccurate" (the word "incomplete" not cited by ECJ) and more generally as noted above if it is "incompatible with the Directive".

What does this mean?
I would argue these are all possible claims to Google to ask to have links removed-

a celebrity who has changed their image since a picture was put online ("inaccurate")

a celebrity who has not changed their image but for whom the picture is unflattering in relation to the whole corpus of their online photos eg taken from a bad angle or on a bad hair day ("incomplete")

a celebrity who at one point contractually agreed to have pictures taken and posted but who has now changed their mind about their dissemination on the Internet (after having been paid in full?) , Because they have withdrawn consent as a ground for processing , processing is now "incompatible with the Directive"

In short Google are, perhaps, currently (understandably) attempting to dodge the bullet of implementing a full blown EU image right (for countries many of which have no such thing, or not in clear statutory terms) by dressing up their offering with the language of history, reputation and freedom of expression. One can understand why. There will be many other edge cases to come.

The form itself is mainly pretty sane. A few points are worth pointing out:

they are choosing not to roll the right out to non EU citizens. I
thought there was a chance in the interests of harmonisation/efficiency
they might have done. Since Google is a private company not the government, my view is this would have simply been a private choice, not a breach in any way of First Amendment, and so viable (see CyberPromotions v AOL, waaay back in l996, though have we had the judicial discsusion since as to whether Google is more like a "traditional public form" now than AOL was?) That would have been unlikely given the likely shrieks of tarnishing of free speech in the US but would have made the process of identifying an EU citizen uneccessary (see below) and would have been extremely fun to watch:) (Plus, recall that California is rolling out the right to be forgotten to minors anyway from 2015 - though whether this survives Constitutional challenge is also as yet unclear.) Wouldn't Google have got lots of brownie points for offering US citizens extra privacy rights in the post Snowden backlash era? or would the civil rights lobby for speech make their lives not worth willing? maybe one to watch for the future if the EU experience pans out well?

they are choosing to (they say) do an initial assessment in-house of privacy claim vs public interest in freedom of expression and historical record.

"When evaluating your request, we will look at whether the results include outdated information about you, as well as whether there’s a public interest in the information—for example, information about financial scams, professional malpractice, criminal convictions, or public conduct of government officials."

Again I thought they might choose path
of least resistance, which would have been simple take down on request, and wait for someone else to complain and then demand adjudication to put back, as with DMCA take downs, but no. The problem of course with applying the DMCA "put back"model to the right to be forgotten is that here there is no-one who has a clear agenda (or funding) to oppose take down. As I noted on Twitter with privacy even in Europe there is no relevant organisation: the role of the DP authority is to protect privacy rights, not freedom of speech and they have no training or aptitude, or , again, funding, to take on a kind of historical assessment or investigatory role.

Identification of claimant was going to be the toughest one. The routes
chosen are the obvious ones and can of course be easily faked but should
mainly do the job; choosing a digital signature would have been v onerous. Will we see US citizens faking up EU credentials to get stuff removed? Of course in most cases Google's own database would provide the evidence of the true national identity (needed of course to serve the right ads, and in the right language) - but will they set their investigatory algorithms up to find this out? Probably.

We don't have any indication how many people will be in the evaluation
team, how far the investigation will be done solely by automated means (maybe) and if the
results will go in the Transparency Report (probably).

Friday, April 04, 2014

I was
interviewed yesterday by the Metro free newspaper on this point, following the onlineprotest tweets by many Mozilla employees in the US that they did not want a
boss who had donated money to an anti-gay marriage fighting fund. In the US
where freedom of speech is prized, employees not only successfully ousted their new boss, but kept their jobs. In the UK, it might have gone the other
way, with disconduct proceedings or dismissal not impossible! The Metro were keen on me making a blanket statement that you either were or weren't sacked if you dissed your booss online but Pangloss was not so foolish. Instead I advised users out there not to vent about their work on open to air
Twitter accounts but to save it for Friends locked Facebook, and if possible,
to make sure you trusted everyone on that Friends list (including fellow
workers who might clipe on you – or move them to a special no-read-work-stuff
list).

Think
about putting a disclaimer on your Twitter account that your tweets are
not
those of your employers, and even then, if possible avoid defamation, racist or
hate
speech or harassment, especially of co-workers. Remember the fate of the
specially appointed 17 year old youth Police Commissioner who lost her £15K a year job when the press started looking at her racist tweets! (Pangloss herself just went and guiltily put a
long overdue disclaimer on her public Twitter feed @lilianedwards (to
which co-writer Dr Ian Brown of the OII, said, what, would ANYONE EVAH think
I represent the views of the University of Oxford? Only the employment
tribunals , I replied..)

Pangloss coincidentally had been writing (as usual) an overlong tome with @mooseabyte on police surveillance of social media when the Metro rang, and it has certainly opened her already jaundiced eyes. Absolutely everyone using public social media should always be aware
that while it may feel like only you and your mates care about what you
had for breakfast, in fact 100s if not 1000s of people may be listening to
, monitoring and data mining you – including not only those who pay per tweet to attach the Twitter data firehose to their Hadoop servers, but , increasingly , the police. SOCMINT - social media intelligence - is the shiniest thing on the block and as yet the general consensus seems to be that anything that is said on unlocked social media, however small the intended audienbce, is fair game for the Old Bill. In fact the legal situatuion is a bit more uncertain, with recent ECHR case law pointing to the existnece of areasonable expectation of privacy even in public spaces - which seems to apply by extension to things said or done on public social media. A rather more nuanced treatment of the subject can be found in the recent Demos report on how police may sometimes need covert surveillance authorisation - eg when constructing fake profiles to gain access to locked profiles on facebook - but for an even more critical perspective , await Lachlan and my paper at the SSN Conf in sunny Barcelona!

Thursday, September 26, 2013

New Scientist, the
leading UK magazine on science and technology, recently covered GikII, the world’s first law, technology and
popular culture workshop, which has run annually for 8 years and is chaired by Professor Pangloss ie
Lilian
Edwards ofStrathclyde’s Centre for Internet Law and Policy .
The New Scientist piece (behind a paywall,
but extract
available here) covers questions raised at GikII such as whether a robot
can libel you and what the legal and societal effects of teleportation might
be, and reports in detail ongoingresearch by Lachlan Urquhart,
now a PhD candidate at Nottingham co-supervised from CILP, into legal regulation
of drones, as well as asking if in the future lawyers will be replaced by
computers. Thankfully, the article concludes this is unlikely to happen any
time soon!

Meanwhile, the most recent GikII, in Bournemouth
in September 2013, failed to provide the much looked forward to sun, but there was sea, sand and salty deep fried objects to die for, as well as the usual intellectual frolics. I finally gave the paper "Slave to the Algo-Ryhthm" I'd been mulling on for what seems like years on Google, algorithms, competition, libel
and data protection (only a week after reading a piece by Ute Kohl in IJLIT which does it all much better. Go thou and read it. )